SNOW-591175: util-linuxv2.36: 2 vulnerabilities (highest severity is: 5.5) - autoclosed

Question

SNOW-591175: util-linuxv2.36: 2 vulnerabilities (highest severity is: 5.5) - autoclosed

Closed this issue 2 years ago · 1 comments

mend-for-github-com commented 2 years ago

Vulnerable Library - util-linuxv2.36

Library home page: https://github.com/karelzak/util-linux.git

Vulnerable Source Files (2)

/deps/util-linux.tar/util-linux/libmount/src/context_umount.c
/deps/util-linux.tar/util-linux/libmount/src/optstr.c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in	Remediation Available
CVE-2021-3996	Medium	5.5	util-linuxv2.36	Direct	v2.37.3	❌
CVE-2021-3995	Medium	4.7	util-linuxv2.36	Direct	v2.37.3	❌

Details

CVE-2021-3996

Vulnerable Library - util-linuxv2.36

Library home page: https://github.com/karelzak/util-linux.git

Found in base branch: master

Vulnerable Source Files (1)

/deps/util-linux.tar/util-linux/libmount/src/tab_parse.c

Vulnerability Details

A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.

Publish Date: 2021-11-22

URL: CVE-2021-3996

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-3996

Release Date: 2021-11-22

Fix Resolution: v2.37.3

CVE-2021-3995

Vulnerable Library - util-linuxv2.36

Library home page: https://github.com/karelzak/util-linux.git

Found in base branch: master

Vulnerable Source Files (2)

/deps/util-linux.tar/util-linux/libmount/src/context_umount.c
/deps/util-linux.tar/util-linux/libmount/src/optstr.c

Vulnerability Details

A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.

Publish Date: 2021-11-22

URL: CVE-2021-3995

CVSS 3 Score Details (4.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-3995

Release Date: 2021-11-22

Fix Resolution: v2.37.3

Answer 1 · 2022-06-28T16:35:53.000Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.